The insurance market cycle is shaped by macroeconomic conditions, loss experiences, and capital availability—fluctuating between hard and soft phases. In cyber, these shifts happen at an accelerated pace, with sharper peaks and deeper troughs than other lines of business. A lack of long-term data and stakeholder confidence has contributed to this volatility, limiting new entrants and constraining capacity just when the market is poised for growth. But what if the industry could smooth out these extremes—ensuring resilience rather than retreat in the face of events? Gallagher Re’s The quest for growth report examines strategies for navigating market volatility and achieving long-term profitability.
The cycle of boom and bust is a certainty in the world of finance. For those in the (re)insurance industry, this certainty manifests as the insurance market cycle - one driven by macroeconomic conditions, loss experiences, and third-party capital availability. Variances in these factors swing the market between profitable hard phases and less profitable soft phases, but in cyber these shifts have occurred at a rapid speed and, historically, feature even sharper peaks and deeper troughs than other lines of business.
This volatility is due to multiple reasons - including a lack of scale and limited long-term data - but the most significant is the lack of stakeholder confidence in an evolving landscape. This limits the number of new entrants, resulting in a retraction and reduction of capacity at a time when the market should have seen impressive growth.
But what if the industry could smooth out these highs and lows of loss experience and recovery? What if capital didn’t shy away at the first signs of an event but rather was resilient and comfortable in its knowledge that the market would learn lessons from its losses and continue to serve its clients?
Cyber insurance is uniquely positioned for exponential growth, but its success hinges on market consistency for policyholders. Achieving this consistency requires proactive preparation now. Gallagher Re holds the view that proactivity today can mitigate and lessen the extreme cyber (re)insurance cycles tomorrow. To achieve this, it is critical to address and manage the two key components driving the market - supply and demand.
Today, we have instruments and relationships in place to significantly attract the necessary capital to grow the market following a major event. Key stakeholders must then be prepared to lean in when the market does inevitably turn. Successfully managing this ensures a consistent supply to meet an almost infinite potential of demand growth in the market. But we need the underwriting community to do their part too. Rather than withdrawing coverage after a big market loss, let’s collectively learn the lessons from the past. It is within our power to develop the product and distribution to unlock this demand - and in doing so, smooth the periods of exuberance and fallow in current and future cycles.
By applying lessons learned from past cycles, we can proactively change the existing approaches used by the market to solve the challenges of supply and demand of tomorrow. In achieving this, we create a more sustainable and, ultimately, profitable market - even in the face of short-term fluctuations.
This abridged version of The Quest for Growth report has been reproduced with the kind permission of ICMIF Supporting Member Gallagher Re. You can find the original report here.
Published April 2025
Managing the Insurance Cycle: Lessons From Other Lines
The underwriting cycle persists in many lines of business because insurance companies too often place short-term gains over long-term stability, with little regard given to how to react when an event causes the market to turn.
History has shown that those who instead prioritize sustainable capital protection and embrace market volatility during hardening phases - rather than retreating - were ultimately rewarded. By continuing to provide coverage when others pull back, these contrarians gained client loyalty, strengthened their market position, and were recognized as industry leaders. Deploying fresh capital into distressed segments allowed them to capture market share at premium prices, positioning them for outsized underwriting profits if conditions played out favorably.
Indeed, a hardening market serves as a catalyst for industry resilience, filtering out firms with weak or unsustainable underwriting strategies while firms with deep expertise and a real understanding of risk emerge as leaders.
The 2001 hard market arose from a confluence of the dot-com bubble bursting and 9/11, resulting in simultaneous downturns of both financial and underwriting results. At the time, reinsurers had a greater allocation of their investments to equities, resulting in a fall in reinsurer capital.
After 9/11, cover for terrorism no longer came as a free add-on with US property policies, triggering a sharp market correction. Many (re)insurers elected to stop writing terrorism coverage, withdrawing from the class entirely. However, insurers that continued offering coverage benefited from sustained profitability as catastrophe pricing soared. Several Bermuda-based reinsurers - including Arch Re, Axis Specialty, Montpelier Re, Endurance and Allied World, collectively known alongside a few other carriers as the Class of 2001 - rapidly scaled, collectively writing USD2 billion in premiums within 6 months of launching. This then inspired more insurers to collectively raise more than USD28 billion in fresh capital within a year, allowing them to re-enter the market with adjusted pricing and stricter terms.
With terrorism reinsurance largely unavailable, primary insurers provided limited and selective coverage, often capped at USD150 million or less. These policies came with significantly higher deductibles (often double the standard deductible) and steeper premiums.
A low-loss year for natural catastrophes and the absence of any other major man-made disasters (along with the benefit of no legacy losses) helped those carriers achieve significant profits in 2002, with all five of the class of 2001 reporting combined ratios in the 90s.
A similar pattern emerged after the 2004-2005 hurricane seasons, when reinsurance shortages created opportunities for new Bermudian reinsurers to scale rapidly and achieve strong returns. These historical examples illustrate a critical lesson: those who remain disciplined and deploy capital strategically in distressed segments - rather than pulling back - will emerge as market leaders and be more profitable. In cyber insurance, this means staying engaged even amid volatility, continuously refining underwriting models, and ensuring access to capital when the market turns.
Cyber - and Why It Isn't 'Special'
The cyber insurance market might be one of the more recent classes of business, but it has not been immune to the market cycle.
In a relatively short window of time, the market has experienced loss events that resulted in dramatic hardening.
Prior to 2017, the market was dominated by a small number of losses suffered by large companies, with costs generally being associated with the legal liability.
Target’s 2013 data breach was one such loss and exposed the vulnerabilities of both corporate cybersecurity and cyber insurance underwriting. Attackers infiltrated Target through a third-party HVAC vendor, installing malware on its Point of Sales systems. This led to the compromise of 40 million payment card accounts and the exposure of 70 million individuals’ personal data. The insured loss was estimated at 60.8% (PCS) of the overall economic loss estimated at USD148 million (Time), highlighting a significant coverage gap, common for losses through this period.
This event, along with other large-scale breaches in the early 2010s, underscored a critical flaw in the cyber insurance market at the time — policies were underpriced and failed to account for the true scope of systemic cyber risks. Many policies lacked adequate coverage for business interruption, reputational damage, and broader third-party liabilities, leaving insureds exposed to significant uncovered losses.
The 2017 NotPetya cyber attack also marked a turning point for the insurance industry, causing more than USD10 billion in damages. Yet only USD3 billion was insured, and just USD300 million (10%) was covered under cyber policies. The rest fell under property coverage. The attack, enabled by leaked nation-state cyber exploits, demonstrated how unpatched software and interconnected networks could amplify cyber threats.
NotPetya forced insurers to re-evaluate “silent” cyber exposure, leading to more selective affirmative coverage and a greater focus on business interruption risks. At the same time, its impact - paired with the rise of cryptocurrency - helped fuel a surge in ransomware, making cyber extortion more scalable and profitable. By 2019, ransomware claims had skyrocketed, exceeding premiums collected, which drove up rates and led to stricter underwriting terms to control losses.
This shift in market dynamics led to unprecedented rate changes in the cyber insurance market. In 2021, portfolio rate increases ranged from 35% to 113%. While the first quarter of 2022 saw continued rate increases, likely due to compounding effects, the market stabilized in the latter half of the year.
These changes stemmed from lessons learned over the previous decade, particularly in response to large-scale data breaches that exposed the limitations of broad, underpriced coverage. In response, the industry refined its pricing model, introducing stricter underwriting standards, higher deductibles, and clearer exclusions - especially for systemic risks.
Where the Cyber Market Got it Wrong
At the same time, underwriters began to look to renew or write less business, as renewing expiring aggregates would have breached their premium business plans. Although few carriers exited the class completely, as far back as 2018, the CIAB reported that average limits for cyber policies had dropped to USD3.2 million, down from an average limit of USD5 million a year earlier. Historically, policy limit ranges had varied from USD10 million to USD50 million, but by 2018, 80% of respondents reported writing limits of USD5 million or less.
Following years of coverage expansion and a rising tide of industry losses, rates began to harden once again, although this time the market provided less aggregate for the same money. Carriers also began withdrawing support for MGAs as a way of limiting their exposure.
This approach may work as a short-term fix, drawing from strategies used in other lines of business during hardening markets. However, this phase of the cycle is often marked by a lack of innovation. After all, if insurers can charge more for providing less, what incentive is there to invest in new products or explore untapped markets? When simply taking rate increases meets business targets and delivers strong underwriting results, the drive to innovate naturally fades.
A once highly innovative cyber market began to stagnate and continues to see a slower pace of innovation today, more than 3 years later. As a result, we saw policy count fall at a time when potential clients were most acutely aware of the potential threat to their business, and a reduction in cyber capacity was met with a reduced demand for the coverage.
This approach may work as a short-term fix, drawing from strategies used in other lines of business during hardening markets. However, this phase of the cycle is often marked by a lack of innovation. After all, if insurers can charge more for providing less, what incentive is there to invest in new products or explore untapped markets? When simply taking rate increases meets business targets and delivers strong underwriting results, the drive to innovate naturally fades.
A once highly innovative cyber market began to stagnate and continues to see a slower pace of innovation today, more than 3 years later. As a result, we saw policy count fall at a time when potential clients were most acutely aware of the potential threat to their business, and a reduction in cyber capacity was met with a reduced demand for the coverage.
Furthermore, these significant rate hikes were met with dissatisfaction from some insurance buyers, who questioned the value of cyber insurance, especially since the product was still young and not universally tailored to the needs of specific types of business. Cybersecurity vendors, meanwhile, saw the rate hikes as an opportunity, purporting to offer insureds better returns on their investments.
Risk Mitigation Improvements after NotPetya
More positively, in the months and years following the NotPetya attack, the industry has proactively enforced stronger baseline security measures. Indeed, focusing solely on premium increases, as seen in the property market, is ineffective for cyber insurance because cyber risks are constantly evolving, with threat actors driving the pace of change. Without strengthened security measures, higher premiums do not reduce loss frequency; instead, they may incentivize attackers to escalate threats while giving businesses a false sense of security, leaving them just as vulnerable as before but paying more. Instead, insurers who focus on risk mitigation can ensure that businesses are not only covered against cyber threats but actively equipped to withstand them.
This approach does have its challenges. As minimum security standards rise, obtaining quotes can become more difficult for businesses - because insurers are demanding stronger controls and practices. While these higher standards help manage risk, they also underscore the need for balance - ensuring robust security requirements while still keeping customers in the market.
Supporting customers in improving their security position is essential for fostering long-term resilience.
The takeaway is clear: sustainable, long-term risk pricing and helping clients to manage and mitigate cyber risk is essential to avoid repeating past cycles of instability.
So, Which Part of the Cycle Are We in Now?
Results have been consistently strong for several years post the ransomware era. The market learned the lessons from the past and improved education around risk mitigation and prevention to the benefit of their end clients, rewarding efforts such as introducing multi-factor authentication, improving staff training, increasing the adoption speed of patches/software updates, and other ways of improving cyber hygiene.
As a result, more insurers entered the cyber market, incumbents grew their existing positions at a higher level of rate, which led to original clients stopping buying as much coverage - largely because the product was becoming uneconomic.
As demand dropped, the typical pattern emerged, with some rate reduction offered to try and incentivize more sales of cyber insurance.
While we are seeing some underwriters develop new products, use new forms of distribution, or seek out new territories to drive growth, the market as a whole will start to lose margin - some will reduce their capacity, and less new capacity will come in.
However, cyber insurance in a soft market behaves differently from other lines. The perception of customer lifetime value could drive some carriers to continue softening conditions or hold off on applying strict guardrails - whether in pricing, coverage terms, or security control requirements - even as loss experience begins to deteriorate.
Whenever a market is still evolving, its peaks and troughs tend to be more pronounced, much as we saw during the dot-com bubble. If cyber is treated as a loss leader by some insurers, the natural cycle of hardening in response to worsening claims trends could be delayed. But ultimately, all it will take is a major loss trend or a significant one-off event to trigger the next phase of the cycle - forcing the market to recalibrate once again.
History would suggest that if such a cyber incident happened, rates would go up, and in all likelihood those who already buy cyber insurance would buy more. In addition, those who haven’t yet bought cyber coverage in the past may well choose to do so, as unlike property classes, penetration rates for cyber are still particularly low. In January 2024, CFC estimated the penetration rate for SMEs in the UK for cyber cover was just 15%, while data from the Cyber Security Breaches survey commissioned by the Department for Science Innovation and Technology in April 2023 stated just 6% of micro businesses and 11% of small businesses had cyber cover in place.
Cyber is an existential threat to small businesses. Therefore, current market penetration indicates a failure of the insurance industry to bridge the gap between actual and perceived need for cyber insurance among SMEs.
Building a Sustainable Cyber Insurance Market: Avoiding Boom and Bust Cycles
Market cycles are fundamentally driven by supply and demand. To mitigate the steep peaks and troughs of hard and soft markets, we need a stable supply of capital and consistent demand.
One major challenge to creating a more sustainable cyber market for the long term is maintaining its capacity through the inevitable fluctuations of the market cycle. This requires a proactive approach today to prepare the industry for the next major loss event.
We know that if there was a cyber event of significant magnitude, we should likely see a huge increase in those interested in buying cyber, given the relatively low penetration rates today, and those buying would likely buy more. To draw a parallel with property catastrophe (Cat) insurance, some in the market believe a significant cyber loss could be akin to a Category 5 hurricane hitting Florida, which would likely be followed by a tenfold increase in homeowners seeking coverage the next day.
But a surge in cyber demand is not guaranteed. Indeed, Gallagher Re believes that without an increase in investment and innovation into product design to ensure the coverage is sufficient for each individual client’s needs, the expected heightened demand may not emerge. It is up to underwriters to seize this opportunity to develop more bespoke, tailored solutions for clients today to help drive down the protection gap. Gallagher Re also contends that it is imperative that all the industry stakeholders are aligned today, rather than reacting post-event. (Re)insurance management executives must be ready to lean in post-event and commit capital and capacity when the market hardens.
Achieving this aim will require the market to build confidence in tail-risk scenarios so that when a major cyber event occurs, it falls within the accepted parameters of expectations rather than triggering uncertainty and capital withdrawal. At Gallagher Re, we have continued to invest hugely in ensuring we can support our clients on this journey.
